IETF Logo Mail Archive

[OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation

Pieter Kasselman <pieter@defakto.security> Thu, 05 February 2026 12:44 UTC

Return-Path: <pieter@defakto.security>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4DB96B23E3B6 for <oauth@mail2.ietf.org>; Thu, 5 Feb 2026 04:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=defakto.security
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oWXkLh7h_49R for <oauth@mail2.ietf.org>; Thu, 5 Feb 2026 04:44:37 -0800 (PST)
Received: from mail-vk1-xa29.google.com (mail-vk1-xa29.google.com [IPv6:2607:f8b0:4864:20::a29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DE2ABB23E3A5 for <oauth@ietf.org>; Thu, 5 Feb 2026 04:44:37 -0800 (PST)
Received: by mail-vk1-xa29.google.com with SMTP id 71dfb90a1353d-5664634a27fso244410e0c.1 for <oauth@ietf.org>; Thu, 05 Feb 2026 04:44:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770295470; cv=none; d=google.com; s=arc-20240605; b=HOlo3bGJjTRyw3e+hjZlgaoeQDl8kjxiU//pRGs+CJHU6sMBva70YK/KiLqYVQAjf/ j8xRmv5nit2EKAK6vUOhmhcVY0f/ECcXhKAajF9UKNWsgF83gB307bQ9Ju0zHCg/arGf RK/DCcR9wEJnSu323Ndoilc+wihpGT+u9+Ln+mij4IO4tmsIzVDrad7rzpeBDqHdpqyf yjxTUYE3LGnYA366fiqEn2svjgjJzTcNtwWEAEyzmv4MHgcVsQIrCLeYtTIg0muniE8j oP08beaFWLj0vVwwwKYROxOuxsilzCiZ++hL1rAfcM1bvTSRKvqe5nbXPnFnv5AgHhrK 7Cgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=5QOvoVulKlU69pBGyLFzVOG9vYjoYYMxtjobk0rzP5A=; fh=DEiMDMsRfmD7peTCnfn++vCKXwykTt/qxhDbBtQ6wQc=; b=ZDpt9/lknyV9IU//2zI2LD6uQjSBDxi4jop/3bMqgbaF5FJ5QGW4q5CWxlm6RDfGQp /er5nM6Sfyd71h3qebryuytIsSB5NobL0JCgIqfTCzK6XhCnVje13Of5zKGwnQQTOw+d T5RtYStjr2ZkjJZ+NVXmzb1EVgETYmrElFe0lUwSWfv2z72wxYcV/siUWP38a6xhl+l2 y91U44iz5coxnDgIpHu2YjWcdeGu8uhVpnrYrfKkiqM8x710/5PTarwOoGInLQC1kNM+ j+hYm2hBXiOijcHIf9BTcf0VFmHTNvIpP8N5WJIDebG4OfhCdaHGebz9CMjyNt1tPsag XoPA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defakto.security; s=google; t=1770295470; x=1770900270; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5QOvoVulKlU69pBGyLFzVOG9vYjoYYMxtjobk0rzP5A=; b=lRXuWwLY8GyeItOXwOztE02JjY6kL7+utBYcDetJ3PpDrY/tcOK4A3cc9vG33Hnhr5 d8Qen1YdoBBMpSs4ljQ3ImI8D0mLGS2SxPvbUzxw3ZdeN09GRi4mElHKfuxSAiGeShV+ DhEOa0IAC+5xLiRVx43znjEHsn/YYKlr7YTHTsRe+jat0Y04/2LBjliJByflYuTjlgf/ 0gDQvv/ZCUTPrliD/o1igZVixGje/MGPtlEmo9KtZrLHb5CibGhsvZQOjTOzZrAGfAAC rnCHXfHdTaQOaYWDLW1zeNT/gA8u+780CccIMzz3Sf/3d+qM22DqLlsFy1mnZOE/4aGP swbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770295470; x=1770900270; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5QOvoVulKlU69pBGyLFzVOG9vYjoYYMxtjobk0rzP5A=; b=wbPUMZRqSShlfJzKIAeaSTkiUHUJno8d1hQWaSHaTUxYDK/kDnJ+OjVqxC5FLd2ZQw xy6lI/83n4bj57hUmT88VGD2Gv4P5CHtRzEJFvu0W4E9VDTt0c9ZyyZANoJYY7uzytUf btqubKfLXQ1WZ3NflIhb0q23gav4uEdkep1ENTDgpICpF168ElCt5moTXt+0mBbZC+19 WxXDRXZx2NO0rsZKZZXRmDgMQ7reWBOu/hxtXkQtYJio6kgkOSU9HCC2lkk9lmArIK4n P8pj4KDKK3Zu9I6ijx+dxHPTqoT3e8dWA5Ppmof2dugjaja9nKRSM42TlCxWJDl/MnZp zRTg==
X-Forwarded-Encrypted: i=1; AJvYcCURSsqPHhhntRjsIz2FVB1q0e3s8dURyB4nr1w3My8ktRwPt3ZdBce5imPiPDDpWGJloS7LZw==@ietf.org
X-Gm-Message-State: AOJu0YxIO8veilBeIqI0CkSr3UhpliBveAztWLn9NUqQglb2APkcaF9P uG9jWKoSqyCb6FcC3zJAuJ7OLQBoQiGNxtkFcwwqZUwQ7KSZqJwM6xtfv2fEpZf72JIrR9Ukmmw yIi72a5adFS825/Yy7Ki1tFRI0c4yxMWQtsGAmOgMMg==
X-Gm-Gg: AZuq6aKmMp6d8bEmrQjA0K4p105o5m5001utp0AAs9n/fk2vqvXbCJGKCOzlbyb2Oxu di2SrPdcOmsIA76hTTV5Vovcyfr8v6wmgG7BYM1GUClsOEIF+Cv2NSI3XhQLgLWOwz7Larj9/+m hcIbF9zqHi6D7k6g+OZDwjfvNvl3RjhmNQrbeJRYjuCFfO9MdwYnPRUicO6GusZjesPdJ+vEL9U fM4IiY0ioUhfRjKQohzjiYQKGqaegjjZF6y6HKDpREwJPuTZlwYdxaBrHS3jT7ep+SGb3ank83+ q3dD6llwsz3fzrR+pf1qeIloEqDQ05jWs+ojHSdrblMBz2+OnJeCcQWj8aE=
X-Received: by 2002:a05:6102:b10:b0:5db:fe41:747b with SMTP id ada2fe7eead31-5f9394fc992mr1945375137.18.1770295470460; Thu, 05 Feb 2026 04:44:30 -0800 (PST)
MIME-Version: 1.0
References: <CAC7mS1-RovjjCGg16W9W1YpcZgrDD4Ng0D2w9FQN1rCB0dxi5g@mail.gmail.com> <CAGBSGjpsShrJR0TtsncrCpX=qYg1kF4HSqznqNN3F+CP9-41gA@mail.gmail.com> <CAC7mS18R3ngNOwVoU8X3a6WfcF7kV4VOB=7FdPTDDi2AO3TKjQ@mail.gmail.com> <CAC7mS1_2jfC4++tuZX4smJVrcDYzr-=VbK2VHYU2N5jH2EfaEQ@mail.gmail.com> <CA+k3eCT0R1FLZerrO=FfLwJyx6XgdShzh7mVRndmoTE6nMGqQA@mail.gmail.com>
In-Reply-To: <CA+k3eCT0R1FLZerrO=FfLwJyx6XgdShzh7mVRndmoTE6nMGqQA@mail.gmail.com>
From: Pieter Kasselman <pieter@defakto.security>
Date: Thu, 05 Feb 2026 04:44:19 -0800
X-Gm-Features: AZwV_QhATnm_rKjGPt2Yz9ic2oVlQ2shGsiguUfQWU4GfalHqSGKYu_MJksk--Y
Message-ID: <CALtWOA3TCXd02WSO9odywT5bwrn-E20zYiJudZ9BzVs07hF7pw@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aa2295064a130817"
Message-ID-Hash: MBHPBEJT5X2VHX6RW5IJL3CSB4NMLJ5B
X-Message-ID-Hash: MBHPBEJT5X2VHX6RW5IJL3CSB4NMLJ5B
X-MailFrom: pieter@defakto.security
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tarun Nanduri <tarunnanduri7@gmail.com>, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/awBETJ0ChT8PWes9dIwlVAOWI9Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Tarun

I agree with Brain and Aaron that your use case can likely be addressed by
the Identity and Authorization Chaining Across Domains draft [1]. You could
always profile it further if needed. Is there a reason you would not be
able to use that draft?

Cheers

Pieter

[1] https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/

On Wed, Feb 4, 2026 at 9:31 PM Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

> Hi Tarun,
>
> As Aaron mentioned there are less tightly profiled variations of this
> general flow, like oauth-identity-chaining
> <https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/>or
> rfc8693 <https://datatracker.ietf.org/doc/html/rfc8693> + rfc7523
> <https://datatracker.ietf.org/doc/html/rfc7523> together directly, that
> don't have the same constraint regarding the IDP not issuing access tokens
> in response to an ID-JAG it issued itself. Perhaps that might meet your
> needs? Although those are intended for cross domain as well. Honestly, much
> of this seems like more than is needed for a same idp / same domain case.
>
> On Tue, Feb 3, 2026 at 8:13 PM Tarun Nanduri <tarunnanduri7@gmail.com>
> wrote:
>
>> Dear Aaron,
>>
>> I am awaiting your feedback on this. To summarize,
>>
>> When an Identity Provider (IdP) does not support Single Sign-On (SSO) due
>> to the nature of the systems involved, and a user needs to transfer their
>> session to another application without re-logging in, I feel ID-JAG offers
>> a secure and seamless solution, providing a smooth user experience.
>>
>> The RFC, as stated in previous emails, explicitly prohibits using the
>> specification within the same IdP. Considering the zero-trust model
>> typically applied within the same IdP, are we open to modifying the
>> specification to allow its implementation within such environments?
>>
>> Best Regards,
>> Tarun Nanduri.
>>
>> On Fri, Dec 5, 2025 at 8:46 AM Tarun Nanduri <tarunnanduri7@gmail.com>
>> wrote:
>>
>>> Hi Aaron,
>>>
>>> Thanks for the response, and pointing me to the Identity Chaining draft.
>>> However, after looking at it, I don't think it applies to the use-case I
>>> shared above (please feel free to correct here). It looks like it's
>>> designed for cross-domain scenarios* whereas the use-case I shared
>>> above has*,
>>>
>>>    - Both the clients are in same trust domain
>>>    - We have single authorization server (it's the IdP too)
>>>
>>> The challenge we are trying to solve is,
>>>
>>>    - Client A needs to transfer user session to client B
>>>    - WITHOUT Client A sharing its access token with client B (security
>>>    risk due to token exposure, invalid audience, unnecessary privileges etc.)
>>>    - Both clients trust the same IdP
>>>
>>> This is why we're intending to use RFC8693, but it still requires client
>>> A to send access token (after token exchange) to client B which creates
>>> exposure we're trying to avoid. The ID-JAG pattern (cryptographic proof of
>>> identity, not a usable token) would be perfect, except the prohibition
>>> defined in section 8.3 of Identity Assertion draft:
>>> 8.3.
>>> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#section-8.3>Cross-Domain
>>> Use
>>> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#name-cross-domain-use>
>>>
>>> This specification is intended for cross-domain uses where the Client,
>>> Resource App, and Identity Provider are all in different trust domains. In
>>> particular, the Identity Provider MUST NOT issue access tokens in
>>> response to an ID-JAG it issued itself. Doing so could lead to
>>> unintentional broadening of the scope of authorization.
>>> My question remains, Can the section 8.3 prohibition be satisfied with
>>> enough security controls (scope validation, replay prevention etc.) for
>>> same IdP scenarios, or is it a hard limitation?
>>>
>>> Thanks and Regards,
>>> Tarun Nanduri.
>>>
>>>
>>> On Fri, Dec 5, 2025 at 1:53 AM Aaron Parecki <aaron@parecki.com> wrote:
>>>
>>>> Hi Tarun,
>>>>
>>>> It sounds like what you are looking for is the parent draft of this
>>>> draft, Identity and Authorization Chaining Across Domains:
>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
>>>>
>>>> The document that defines the ID-JAG, Identity Assertion Authorization
>>>> Grant, is a special case of Identity Chaining where both the client and
>>>> resource have a pre-existing relationship with the same IdP. So I don't
>>>> view it as a limitation, it's actually an optimization when there is a
>>>> common IdP. The Identity Chaining draft is the same as this draft except it
>>>> doesn't specify the input token format or the reason why the client and
>>>> resource trust the cross-domain JWT issuer.
>>>>
>>>> Aaron
>>>>
>>>>
>>>>
>>>> On Mon, Dec 1, 2025 at 8:11 AM Tarun Nanduri <tarunnanduri7@gmail.com>
>>>> wrote:
>>>>
>>>>> Dear OAuth Working Group & Aaron,
>>>>>
>>>>> I would like to provide feedback on the OAuth Identity Assertion
>>>>> Authorization Grant (ID-JAG) specification, specifically regarding
>>>>> the prohibition against same-IdP usage.
>>>>>
>>>>> Use Case:
>>>>>
>>>>> In microservices architectures using the same IdP, there is a
>>>>> legitimate need for service-to-service identity delegation WITHOUT
>>>>> sharing access tokens directly:
>>>>>
>>>>> - Application A has a user-scoped token
>>>>> - Application A needs to invoke Application B on behalf of user
>>>>> - Sharing Token A with Application B creates security risks:
>>>>>   * Token exposure between services
>>>>>   * Replay attacks
>>>>>   * Over-privileged access
>>>>>   * Audience mismatch
>>>>>
>>>>> The Gap:
>>>>>
>>>>> ID-JAG's assertion pattern solves this perfectly:
>>>>> - Application A creates a cryptographic identity assertion
>>>>> - Assertion is audience-bound to Application B
>>>>> - Application B exchanges assertion for its own token
>>>>> - No credential sharing between services
>>>>>
>>>>> However, the same-IdP prohibition prevents this legitimate use case.
>>>>>
>>>>> Suggestion:
>>>>>
>>>>> Consider either:
>>>>> 1. Removing the same-IdP prohibition with appropriate security guidance
>>>>> 2. Adding an exception for service-to-service delegation scenarios
>>>>> 3. Providing guidance on how to achieve this pattern within the same
>>>>> IdP
>>>>>
>>>>> RFC 8693 (Token Exchange) doesn't fully address this use case as it
>>>>> requires sending the actual token (subject_token), which is what we're
>>>>> trying to avoid.
>>>>>
>>>>> Security Considerations:
>>>>>
>>>>> With zero-trust validation, same-IdP assertions can be just as secure
>>>>> as cross-IdP:
>>>>> - Validate assertion issuer is authorized
>>>>> - Apply fresh authorization policy evaluation
>>>>> - Enforce audience restrictions
>>>>> - Use short-lived assertions
>>>>> - Implement scope intersection, not broadening
>>>>>
>>>>> Would appreciate the working group's consideration of this use case.
>>>>>
>>>>> Best regards,
>>>>> Tarun Nanduri.
>>>>>
>>>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status